GE released new firmware to mitigate an improper input validation vulnerability in its PACSystems CPE305/310, CPE330, CPE400, RSTi-EP CPE 100, CPU320/CRU320, RXi, according to a report with NCCIC.
Successful exploitation of this remotely exploitable vulnerability, discovered by Younes Dragoni of Nozomi Networks, could cause the device to reboot and change its state, causing the device to become unavailable.
The following versions of PACSystems, an industrial Internet controller suffer from the vulnerability:
• PACSystems RX3i CPE305/310 version 9.20 and prior
• RX3i CPE330 version 9.21 and prior
• RX3i CPE 400 version 9.30 and prior
• PACSystems RSTi-EP CPE 100 all versions
• PACSystems CPU320/CRU320 and RXi all versions
The device does not properly validate input, which could allow a remote attacker to send specially crafted packets causing the device to become unavailable.
CVE-2018-8867 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
GE released the following firmware to mitigate the vulnerability (login required):
IC695CPE305 – Upgrade Kit: CPE305_FW9_40_41G1733-MS10-000-A17.zip
IC695CPE310 – Upgrade Kit: CPE310_FW9_40_41G1734-MS10-000-A17.zip
IC695CPE330 – Upgrade Kit: CPE330_FW9_40_41G2016-FW01-000-A11.zip
IC695CPE400 – Upgrade Kit: CPE400_FW9_40_41G2376-FW01-000-A3.zip
For CPE100, click here for the newest firmware.
GE said CPU/CRU320 is end of life, and there is a direct upgrade path available to users.